Hi Mario, You certainly can. This link explains how to create custom active responses:
http://www.ossec.net/wiki/Know_How:CustomActiveResponses And this post shows a similar concept to detect fraud with ossec: http://blog.rootshell.be/2010/03/31/detecting-fraud-with-ossec/ Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Thu, Mar 25, 2010 at 6:40 PM, Mario Roberto Ginglass <gingl...@gmail.com> wrote: > Hi List, > > is it possible to execute a script triged by some rule? Might the results of > the execution be sent by email within the alert message? > > Like this: > situation 1 => after an rule be dispatched i´d like to add in the alert he > results of ´whois srcip´... > situation 2 => if OSSEC receive an log sent by my IDS (some policy violation > for exemple) related (by srcip) with my proxy server i´d like to include in > alert an subset of my proxy access_logs (for example: `tail -10000 > /var/log/squidlog | grep <srcip>`). > > Another question: is it possible correlate in a rule 2 diferent events, for > exemple if IDS log matches XXX and PROXY logs match <srcip> (from the first > event) then sent an new alert (or events generated by 2 diferent agents)? > > Thanks, > -- > Mário > > > To unsubscribe from this group, send email to > ossec-list+unsubscribegooglegroups.com or reply to this email with the words > "REMOVE ME" as the subject. >
